From 661bcd8603425934188cf139f33e20675ff4b765 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sat, 7 Sep 2019 05:39:56 +0000 Subject: [PATCH] allow loading unsigned modules due to issues https://forums.whonix.org/t/allow-loading-signed-kernel-modules-by-default-disallow-kernel-module-loading-by-default/7880/23 --- debian/control | 5 ----- debian/security-misc.maintscript | 3 +++ etc/default/grub.d/40_only_allow_signed_modules.cfg | 4 ---- 3 files changed, 3 insertions(+), 9 deletions(-) delete mode 100644 etc/default/grub.d/40_only_allow_signed_modules.cfg diff --git a/debian/control b/debian/control index a71413d..9f28c33 100644 --- a/debian/control +++ b/debian/control @@ -80,11 +80,6 @@ Description: enhances misc security settings * Bluetooth is blacklisted to reduce attack surface. Bluetooth also has a history of security concerns. https://en.wikipedia.org/wiki/Bluetooth#History_of_security_concerns - . - * Requires every module to be signed before being loaded. Any module that is - unsigned or signed with an invalid key cannot be loaded. This makes it harder - to load a malicious module. - /etc/default/grub.d/40_only_allow_signed_modules.cfg . Uncommon network protocols are blacklisted: These are rarely used and may have unknown vulnerabilities. diff --git a/debian/security-misc.maintscript b/debian/security-misc.maintscript index cca27e3..3dca986 100644 --- a/debian/security-misc.maintscript +++ b/debian/security-misc.maintscript @@ -2,3 +2,6 @@ ## See the file COPYING for copying conditions. rm_conffile /etc/sudoers.d/umask-security-misc + +## https://forums.whonix.org/t/allow-loading-signed-kernel-modules-by-default-disallow-kernel-module-loading-by-default/7880/23 +rm_conffile /etc/default/grub.d/40_only_allow_signed_modules.cfg diff --git a/etc/default/grub.d/40_only_allow_signed_modules.cfg b/etc/default/grub.d/40_only_allow_signed_modules.cfg deleted file mode 100644 index 5441292..0000000 --- a/etc/default/grub.d/40_only_allow_signed_modules.cfg +++ /dev/null @@ -1,4 +0,0 @@ -## Requires every module to be signed before being loaded. -## Any module that is unsigned or signed with an invalid key cannot be loaded. -## This makes it harder to load a malicious module. -GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX module.sig_enforce=1"